Asiawood

From Spamhuntress

(Redirected from Asianwood)
Jump to: navigation, search

Spammer who seems to break into innocent websites, placing files that creates spammy redirect pages for him. He then spamvertizes those addresses in guestbooks etc.

Named after his e-mail address, that is the default e-mail address for a seemingly legit company in Russia.

The file he places on websites is often named read.php. It's often placed in an existing subdirectory that has a directory listing that is world readable. He calls pages through placing keywords after the file name in the URL, like this:

?q=phentermine

We've seen one instance of the placed file being named wp-read.php. The redirects usually don't work unless you have a referrer from a search engine. The javascript is rigged to return an error or similar to throw off irate site owners and anti-spammers.

There might be a connection with Scrimak, who also seems to use read.php, and a domain on the same server as Asiawood.


Contents

[edit]

Domains:

  • more777.info
  • bettingcasinosite.com
  • miror.org


[edit]

IP numbers:

  • 66.235.179.212
  • 216.195.51.168
  • 88.214.200.20


[edit]

Whois: 

N/A
Michael (info@asiawood.ru)
Lenina, 6
Kurgan
null,640000
RU
Tel. +7.9128351001

Someone coming from 84.252.148.8 tried to change the details to these: 

Lenina, 43
Tel. +7.9145356001

Might be subterfuge, or someone who knows?

[edit]

Updates:

  • 81.25.39.12 says: Obviously asiawood.ru is a serial victim of turkish hackers. There is absolutely no connections between trading wood and phentermine. And there is no sense to show here firm's adress.

That's nonsense. Turkish hackers have nothing to do with this case. The spammer was Russian, and Asiawood is Russian. Let's say Asiawood was hacked (at the time I investigated the spam). If that were true, the spammer must somehow have gotten control of the main e-mail address for the Asiawood e-mail address. The same one they use for whois info, and on the site. That's not very likely.

You know, TODAY there's a notice on the front page of Asiawood that it's been hacked. But that wasn't there when I gathered background info. And MSN's cache backs that up. I'd say it's entirely possible the frontpages on asiawood.ru and gettoppills.com are "hackings of convenience" to try and throw off suspicion. In fact, it's making Asiawood look more suspicious, not less. Oh, and I hadn't been able to connect gettoppills to Asiawood before, so thanks for that. I found files redirecting to that domain on the same hacked sites as I found hacks from Asiawood on, but wasn't sure about gettoppills.com... --Spamhuntress 11:55, 12 Sep 2006 (CDT)

  • The hacked redirects no longer works. Probably because we exposed him. --Spamhuntress 16:11, 14 Sep 2006 (CDT)
Retrieved from "http://spamhuntress.com/w/index.php/Asiawood"
Personal tools